Mean time to detect, or MTTD, is the average time it takes an organization to discover that a security incident or suspicious event has occurred. It matters because faster detection usually means less attacker dwell time and lower incident impact.
What is Mean Time to Detect (MTTD)?
MTTD is a performance metric used in security operations to evaluate how quickly threats are recognized after they begin. It can reflect the quality of monitoring, detections, telemetry, alerting, and analyst workflows.
What Influences MTTD
Common factors include log coverage, detection engineering, alert quality, analyst staffing, response workflows, and visibility into cloud, identity, endpoint, and network activity.
MTTD vs. MTTR
MTTD measures how quickly an incident is found. MTTR measures how quickly it is contained, remediated, or resolved after detection.
Frequently Asked Questions
Why is MTTD important?
Because the longer attackers operate undetected, the more time they have for lateral movement, persistence, and data theft.
Is lower MTTD always enough?
No. Fast detection matters, but teams also need effective investigation and response after the alert arrives.
Related Cybersecurity Terms
